JWT

What is JWT

tags: learning programming

content

• Json web token, a self-contained way to transmit information securely
• when a client logs in, server validates its credentials and sends back a JWT
  • client can then included the JWT in every request
  • server will check the JWT, instead of asking the user to sign in every single time
• a JWT contains 3 parts, separated by .
  • header
  • payload
  • signature
    • signature is generated by server’s secret key
• JWT is base64-encoding encoded, it’s not encrypted
  • so, a JWT is signed (provides authenticity, can be verified that it comes from the server)
  • but it’s not encrypted (it’s just base64 encoding, everyone can read)
• why is JWT secure then?
  • it’s secure in a sense that, it’s signed by the server, so it can’t be tempered with (payload inside can’t be changed)
  • but it’s not secure in a way that it can be intercepted and be used by attackers for impersonation

up

• JWT-and-cookies

down

reference